Guide to Computer Forensics and Investigations, Second Edition Chapter 5 Processing Crime and Incident Scenes.

Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition

Chapter 5 Processing Crime

and Incident Scenes

Guide to Computer Forensics and Investigations, 2e 2

ObjectivesObjectives

• Collect evidence in private-sector incident scenes

• Process law enforcement crime scenes

• Prepare for a search


Objectives (continued) Objectives (continued)

• Secure a computer incident or crime scene• Seize digital evidence at the scene• Review a case using three different computer

forensics tools


Collecting Evidence in Private-Sector Collecting Evidence in Private-Sector Incident ScenesIncident Scenes

• Freedom of Information Act (FOIA)– States public records are open and available for

inspection– Citizens can request public documents created by

federal agencies

• Homeland Security Act

• Patriot Act


Collecting Evidence in Private-Sector Collecting Evidence in Private-Sector Incident Scenes (continued)Incident Scenes (continued)

• Corporate environment is much easier than criminal environment

• Employees’ expectation of privacy– Create and publish a privacy policy– Use warning banners

• State when an investigation can be initiated– Reasonable suspicion





• Avoid becoming a law enforcement agent

• Check with your corporate attorney on how to proceed– Commingled data– Warrants– Subpoena– Civil liability


Processing Law Enforcement Crime Processing Law Enforcement Crime ScenesScenes

• Criminal rules of search and seizure

• Probable cause– Specific crime was committed– Evidence exists– Place to be searched includes evidence

• Warrant– Probable cause– Witness


Processing Law Enforcement Crime Processing Law Enforcement Crime Scenes (continued)Scenes (continued)


Understanding Concepts and Terms Understanding Concepts and Terms Used in WarrantsUsed in Warrants

• Innocent information– Unrelated information

• Limiting phrase– Separate innocent information from evidence

• Plain view doctrine– Searched area can be extended

• Knock and announce


Preparing for a SearchPreparing for a Search

• Most important step in computing investigations

• Steps:– Identifying the nature of the case– Identifying the type of computer system– Determining whether you can seize a computer– Obtaining a detailed description of the location


Preparing for a Search (continued)Preparing for a Search (continued)

• Steps (continued):– Determining who is in charge– Using additional technical expertise– Determining the tools you need– Preparing the investigation team


Identifying the Nature of the CaseIdentifying the Nature of the Case

• Private or public• Dictates:

– How you proceed – Resources needed during the investigation


Identifying the Type of Computing Identifying the Type of Computing SystemSystem

• Identify:– Size of the disk drive– Number of computers at the crime scene– OSs– Specific details about the hardware

• Easier to do in a controlled environment, such as a corporation


Determining Whether You Can Seize a Determining Whether You Can Seize a ComputerComputer

• Ideal situation– Seize computers and take them to your lab

• Not always possible

• Need a warrant

• Consider using portable resources


Obtaining a Detailed Description of the Obtaining a Detailed Description of the LocationLocation

• Get as much information as you can

• Identify potential hazards– Interact with your HAZMAT team

• HAZMAT guidelines– Protect your target disk before using it– Check for high temperatures


Determining Who Is in ChargeDetermining Who Is in Charge

• Corporate computing investigations require only one person to respond

• Law enforcement agencies:– Handle large-scale investigations– Designate leader investigators


Using Additional Technical ExpertiseUsing Additional Technical Expertise

• Look for specialists– OSs– RAID servers– Databases

• Can be difficuly to find

• Educate specialists who are not investigators in proper investigative techniques– Prevent evidence damage


Determining the Tools You NeedDetermining the Tools You Need

• Prepare your tools using incident and crime scene information

• Initial-response field kit– Lightweight– Easy to transport

• Extensive-response field kit– Includes all tools you can afford


Determining the Tools You Need Determining the Tools You Need (continued)(continued)


Determining the Tools You Need Determining the Tools You Need (continued)(continued)


Preparing the Investigation TeamPreparing the Investigation Team

• Review facts, plans, and objectives

• Coordinate an action plan with your team– Collect evidence– Secure evidence

• Slow response can cause digital evidence to be lost


Securing a Computer Incident or Securing a Computer Incident or Crime SceneCrime Scene

• Preserve the evidence

• Keep information confidential

• Define a secure perimeter– Use yellow barrier tape– Legal authority

• Professional curiosity– Can destroy evidence


Seizing Digital Evidence at the SceneSeizing Digital Evidence at the Scene

• Law enforcement can seize evidence with a proper warrant

• Corporate investigators rarely can seize evidence

• U.S. DoJ standards for seizing digital data

• Civil investigations follow same rules– Require less documentation, though

• Consult with your attorney for extra guidelines


Processing a Major Incident Processing a Major Incident or Crime Sceneor Crime Scene

• Guidelines– Keep a journal– Secure the scene– Be professional and courteous with onlookers– Remove people who are not part of the investigation– Video record the computer area

• Pay attention to details

• Look under desks, chairs

• Examine dropped ceilings


Processing a Major Incident Processing a Major Incident or Crime Scene (continued)or Crime Scene (continued)

• Guidelines (continued)– Sketch the incident or crime scene– Check computers as soon as possible– Save data from current applications as safe as

possible– Make notes of everything you do when copying data

from a live suspect computer– Close applications and shutdown the computer


Processing a Major Incident Processing a Major Incident or Crime Scene (continued)or Crime Scene (continued)

• Guidelines (continued)– Look for information related to the investigation

• Passwords, passphrases, PINs, bank accounts

– Collect documentation and media related to the investigation

• Hardware, software, backup media


Processing Data Centers Processing Data Centers with an Array of RAIDswith an Array of RAIDs

• Sparse evidence file recovery– Extracts only data related to evidence for your case

from allocated files– Minimizes how much data you need to analyze– Doesn’t recover residual data in free or slack space– If you have a computer forensics tool that accesses

the unallocated space on a RAID system, work it on a test system first to make sure it doesn’t corrupt the RAID computer


Using a Technical Advisor at an Using a Technical Advisor at an Incident or Crime SceneIncident or Crime Scene

• Technical specialists

• Responsibilities:– Know aspects of the seized system– Is direct investigator handling sensitive material– Help securing the scene– Help document the planning strategy– Conduct ad hoc trainings– Document activities


Sample Civil InvestigationSample Civil Investigation

• Recover specific evidence– Suspect’s Outlook e-mail folder (PST file)

• Covert surveillance– Company policy– Risk of civil or criminal liability

• Sniffing tools– For data transmissions


Sample Criminal InvestigationSample Criminal Investigation

• Computer crimes examples– Fraud– Check fraud– Homicides

• Need a warrant to start seizing evidence– Limit searching area


Sample Criminal Investigation Sample Criminal Investigation (continued)(continued)


Reviewing a CaseReviewing a Case

• Tasks for planning your investigation– Identify the case requirements– Plan your investigation– Conduct the investigation– Complete the case report– Critique the case


Identifying the Case RequirementsIdentifying the Case Requirements

• Identify requirements, such as:– Nature of the case– Suspect’s name– Suspect’s activity– Suspect’s hardware and software specifications


Planning Your InvestigationPlanning Your Investigation

• List what you can assume or know– Several incidents may or may not be related– Suspect’s computer can contain information about

the case– Whether someone else has used suspect’s

computer

• Make an image of suspect’s computer disk drive

• Analyze forensics copy


DriveSpyDriveSpy

• Functions– Create an image– Verify validity of image– Analyze image


DriveSpy (continued)DriveSpy (continued)


DriveSpy (continued)DriveSpy (continued)


Access Data Forensic Toolkit (FTK)Access Data Forensic Toolkit (FTK)

• Functions– Extract the image from an bit-stream image file– Analyze the image


Access Data Forensic Toolkit (FTK) Access Data Forensic Toolkit (FTK) (continued)(continued)


Access Data Forensic Toolkit (FTK) Access Data Forensic Toolkit (FTK) (continued)(continued)


X-Ways ForensicsX-Ways Forensics

• Functions– Extract forensic image– Analyze image


X-Ways Forensics (continued)X-Ways Forensics (continued)






SummarySummary

• Private sector– Contained and controlled area

• Publish right to inspect computer assets policy

• Private and public sectors follow same computing investigation rules

• Avoid becoming an agent of law enforcement

• Criminal cases require warrants


Summary (continued)Summary (continued)

• Protect your safety and health as well as the integrity of the evidence from hazardous materials

• Follow guidelines when processing an incident or crime scene– Securing perimeter– Video recording


Summary (continued)Summary (continued)

• Become familiar with forensics tools– DriveSpy and Image– FTK– X-Ways Forensics


Questions & DiscussionQuestions & Discussion

Guide to Computer Forensics and Investigations, Second Edition Chapter 5 Processing Crime and Incident Scenes.

Documents